Ad-injecting trojan targets Mac users on Safari, Firefox, and Chrome

Users are socially engineered into installing the trojan and seeing rogue ads.

Have you begun noticing unexpected ads appearing on unlikely websites while browsing on your Mac? If so, it's possible you've been infected with Trojan.Yontoo.1, which has been identified by Russian anti-virus firm Doctor Web as a malware variant affecting OS X users. No infection numbers were provided and Doctor Web is currently the only company reporting the threat, indicating that it has been fairly limited thus far. Still, its existence shows how Mac users continue to be targeted by malware writers and how easy it is to trick some users into installing it.

Here's how Trojan.Yontoo.1 works. An installer is presented to users as a browser plugin—usually on specially crafted webpages claiming to show movie trailers—but may also present itself as a media player, download accelerator, or "a video quality enhancement program." The installer asks the user if he or she wants to install an app called Free Twit Tube; at that point, the installer downloads the trojan from the Internet, which installs a plugin for all available browsers, including Safari, Firefox, and Chrome.

From there, the Yontoo trojan monitors your Web browsing and, according to Doctor Web, transmits information about what pages you visit to a remote server. It then injects ads into those pages using third-party code, allowing the attackers to collect unauthorized ad views on nearly any website they please. And yes, that includes Apple's own website.

Enlarge/ The Yontoo adware injects ads on pretty much any webpage, including Apple's site.

Schemes like this are nothing new to the Windows world (Symantec has a note about Yontoo on Windows) but they're becoming increasingly common for Mac users as well. On the upside, Yontoo doesn't appear to take advantage of any security holes in OS X; it relies entirely upon social engineering to get itself installed on a user's machine. But as we know from past experience, there are ways for malware to make its way onto the Mac without the aid of the user—Apple has already blacklisted older versions of the Java and Flash plugins due to security holes that put even the most conscientious users at risk.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

I guess someone really wants their Ad Revenue. I just have to laugh at the name of the program. Twit Tube.

Yeah, my first thought was "anyone that installs a program called 'Twit Tube' probably deserves to get force fed ads."

RPackerII wrote:

Huh. So Mac users in their little "I can never get a virus because I have a Mac" world are now becoming larger targets. Welcome to modern computing.

Mac users have known for years that there is malware out there specifically targeted at them, and also have known that Macs aren't bulletproof. Trying to poke at Mac users over this "perception" is just one step up from claiming that Macs don't have a two button mouse. Welcome to the 21st Century.

I guess someone really wants their Ad Revenue. I just have to laugh at the name of the program. Twit Tube.

Yeah, my first thought was "anyone that installs a program called 'Twit Tube' probably deserves to get force fed ads."

RPackerII wrote:

Huh. So Mac users in their little "I can never get a virus because I have a Mac" world are now becoming larger targets. Welcome to modern computing.

Mac users have known for years that there is malware out there specifically targeted at them, and also have known that Macs aren't bulletproof. Trying to poke at Mac users over this "perception" is just one step up from claiming that Macs don't have a two button mouse. Welcome to the 21st Century.

This is very very wrong. I do computer support for a living and deal with PCs and Macs, and customers who are considering transitions between the platforms, and almost 100% of the time when someone wants to switch from PC to Mac, it is because they think Macs don't get viruses and don't crash, and don't have problems ever. This is the perception Apple has given via its advertising and marketting. It is a good perception to give, but when reality doesn't match up, you have problems, which is the case right now. The other thing they do when trying to decide between PC and Mac is they look at a PC Laptop that costs 500 bucks, and then look at a mac book pro, which is like 3x as much, for just the base 13" model. Then they make a statement on how much faster the mac feels. I constantly have to tell people to compare things in the same price range, and to do that you have to start at ultrabooks on the PC side of things.

How does one uninstall this trojan once a computer is infected? I've been using Macs for something like 15 years now and I'm not sure I'd know how. I've always found uninstallation a bit sloppy in Macs - trashing a folder doesn't quite seem "complete".

How does one uninstall this trojan once a computer is infected? I've been using Macs for 10 years and I'm not sure I'd know how. I've always found uninstallation a bit sloppy in Macs - trashing a folder doesn't quite seem "complete".

Apple will probably update the Xprotect file shortly and that will probably take care of it for you.

Besides, uninstalling legitimate programs and uninstalling malware are two very, very different things.

Other than that, legitimate programs will often leave data in ~/Library/Preferences and ~/Library/Application Support. This shouldn't cause any interference with other installed programs, though.

How does one uninstall this trojan once a computer is infected? I've been using Macs for something like 15 years now and I'm not sure I'd know how. I've always found uninstallation a bit sloppy in Macs - trashing a folder doesn't quite seem "complete".

Generally, there is no "one true method" for removing malware, since they are not installed (most of the time) using any of the operating system's blessed methods for adding software. I used to assist a buddy of mine with his PC repair/tuning business, and removing Trojans was always the biggest pain in the ass. Usually, we'd have to go and find a kit that had been specifically designed to remove the Trojan (or we would have to track down all of its signatures and remove them by hand).

Considering how the Mac has been growing so much the last few years, any Mac user with some basic knowledge of malware is realising there will be more and more malware out there as the platform gets more attractive. It will be interesting to see how Apple is preparing for it, especially when it comes to the iOS platform.

I'm surprised there isn't more malware for Macs out there. Maybe because they know a lot of the Mac users are younger people, who are a bit more used to the dangers of the internet?

The name is familiar to me: A program called Yontoo Layers is on the Windows platform. i find it on infected machines a lot.

Same lipstick, new pig this time.

I tell people that tell me they are going to buy Mac's cause they don't get viruses plain and simple.

PC's don't get viruses, users get viruses.

Their inability to keep products up to date, or not learning to click every flashing goddamn thingthey see, is basically admission of their own faults.

Telling someone they failed is fun, and its the only way you can get them to change their ways sometimes.If you treat everyone like an innocent snowflake, they will continue to make the same mistakes again and againno matter what platform.

This is also why new Macs ship with that setting "Allow applications downloaded from Mac App Store and identified developers."

If these guys wrote the installer using an Apple Dev account, you can be sure that key is going to get revoked, which means by default double-clicking that installer simply won't work. You'll have to right-click it and select "open" from the menu.

Huh. So Mac users in their little "I can never get a virus because I have a Mac" world are now becoming larger targets. Welcome to modern computing.

Sorry, your nerd card must now be revoked, please walk to the front of the building and turn it over to the guard on your way out. Have a nice life!

This is a tired old troll. 1) This is a trojan horse, not a virus. Any system, even unix systems, can technically get trojan horses. Trojan horses require intervention of the person at the keyboard. Fool that person and you can pwn any system, no OS is safe. Note how in the article it clearly pointed out that it requires the user to click on something to install. 2) Experts have never said "macs don't get viruses", those are the media who incorrectly report that statement, and then fail to educate people, such as yourself, what the difference is between a trojan horse and a virus. 3) The proper statement is that "there are very fiew mac viruses and trojans compared to Windows, for example. This is born out by the fact that it's a major news story when a mac gets a single malware report, and yet there are dozens constantly for Windows and they barely make it off the virus software maker's websites because they just aren't interesting any more. 4) What needs to be followed up on by this and other stores is how Apple is handling them. A couple viruses were found recently for Macs, but they required a backdoor thru Java, an old and unsecure technology. Apple is no longer shipping Java installed on Macs, making them more secure, and used a method of disabling java if an installed version isn't on the correct version with a fix to the problem. Much better than slapping another definition into a virus checking package.

To be fair (or pedantic), Leo Laporte's TWiT (This Week in Tech) network is a respected name in video podcasting, using innovation in live streaming Internet shows about technology subjects, more well known to smart geeks than to the general public. I'm watching Tech News Today right now (live.twit.tv).

RPackerII wrote:

Huh. So Mac users in their little "I can never get a virus because I have a Mac" world are now becoming larger targets. Welcome to modern computing.

You have to recognize one thing: The subject of this article is not a virus.

Mac users have known for years that there is malware out there specifically targeted at them, and also have known that Macs aren't bulletproof. Trying to poke at Mac users over this "perception" is just one step up from claiming that Macs don't have a two button mouse. Welcome to the 21st Century.

The problem is there are still kool aid drinkers out there. I wouldn't be snippy with Mac users if they still didn't tout the claim that their system is bullet proof. Yes. OS X does have strong security. So does Windows if you configure it correctly. <--that caveat has always been the killer because of idiot OEMs.) But there is still a healthy percentage who think that OS X is infallible.

If you would take control of your fellow Mac users and smack them when they act as if their farts smelled better then everyone else's you'd see see everyone else tone down posts like RPackerII makes in Apple articles.

But that is only part of the issue...you have these tiresome claims that everyone and their second uncle's kid is copying Apple which is just complete BS as well and that Apple never copies anyone. But that is another 3 page rant right there.

The gist of it is, while a healthy percentage of Apple users continue to act like arrogant a holes. (And lets be fair ALL platforms from Windows, to Android, to Playstation, to 360, to Ford, to Chevy all have such jerks. Apple however has turned it into a tool to drive sales making them more rabid then most.) We are going to shove it back in their face. Call it Mutually Assured Jackassery.

Huh. So Mac users in their little "I can never get a virus because I have a Mac" world are now becoming larger targets. Welcome to modern computing.

There is a thread of truth in his comment. I will rewrite it for him, so it is less douchey.

And so I quote from the newly enlightened RPackerII, "Hmm. So Mac users are becoming more mainstream. Back when the Mac was a niche platform there was less interest in developing malware for it. As it grew in popularity Mac users have learned to be more aware of malware. Welcome to success?"

The name is familiar to me: A program called Yontoo Layers is on the Windows platform. i find it on infected machines a lot.

Same lipstick, new pig this time.

I tell people that tell me they are going to buy Mac's cause they don't get viruses plain and simple.

PC's don't get viruses, users get viruses.

Their inability to keep products up to date, or not learning to click every flashing goddamn thingthey see, is basically admission of their own faults.

Telling someone they failed is fun, and its the only way you can get them to change their ways sometimes.If you treat everyone like an innocent snowflake, they will continue to make the same mistakes again and againno matter what platform.

I disagree with your approach. I cultivate a camaraderie with my users, in the battle against the spread of malware. I encourage vigilance and self-education. And I never blame them. I might point out how what they might have done seemed harmless at the time, but I then explain "social engineering" briefly, and I show them how they can help defend themselves. And I have no trouble afterward.

I will say I'm fortunate to have relatively conscientious users. But I also try to avoid browbeating them over this stuff, because it's true... Any computer is vulnerable in some way, and even the smartest folks can fall for well-crafted ploys. So while I get that "users get viruses," it follows then that users are the chief defense against viruses, and so putting them on the team seems like a strong way of helping them do that.

This is very very wrong. I do computer support for a living and deal with PCs and Macs, and customers who are considering transitions between the platforms, and almost 100% of the time when someone wants to switch from PC to Mac, it is because they think Macs don't get viruses and don't crash, and don't have problems ever.

You'll note that I specifically said "Mac users" and not "people considering switching from a PC to a Mac". I don't doubt that there are people unfamiliar with the Mac platform who hold a lot of misconceptions about it. I'm also not saying that every Mac owner is fully aware that they can get hit with malware (otherwise stories like this wouldn't exist). What I am saying is that most Mac users that I'm aware of (and I spent 5 years selling Macs and supporting them) are aware that the "Macs don't get viruses" trope is a fable.

I'm assuming that you correct the people who come to you for advice on switching, as did I. But the idea that all of us Mac users sit smugly, assuming that no outside harm could ever come to our computers is pretty much a fallacy that a lot of Mac haters love to trot out every time some Mac malware comes out.

This is very very wrong. I do computer support for a living and deal with PCs and Macs, and customers who are considering transitions between the platforms, and almost 100% of the time when someone wants to switch from PC to Mac, it is because they think Macs don't get viruses and don't crash, and don't have problems ever. This is the perception Apple has given via its advertising and marketting. It is a good perception to give, but when reality doesn't match up, you have problems, which is the case right now.

So, the problem wasn't idiot Mac users thinking their platform was invulnerable, but idiot Windows users who didn't do any research into anything and just "assumed" Macs didn't get viruses, and then continued on their risky behavior thinking they were immune? You'd think they'd be cautious from the start since it's so ingrained into their psyche.

The problem is there are still kool aid drinkers out there. I wouldn't be snippy with Mac users if they still didn't tout the claim that their system is bullet proof.

Ah, the "other people are dicks, so I'm going to proactively be a dick whenever the subject comes up to rub it in the faces of those dicks, who probably aren't even here to read it" argument.

Edit: I'll note that here on Ars, if someone were to claim that Macs are bulletproof on either the Mac Ach, or the Battlefront, on the Ach, they'd be told that they're an idiot. In the BF, they'd be told that as well as correctly labeled a troll.

I've always found the best way to get rid of malware is to just not get malware in the first place. If you learn to avoid suspicious links and things that sound too good to be true, you avoid about 99% of malicious software. Honestly, most Trojans and such prey on the ignorant and lazy. If you just keep your eyes open and your head out of your posterior, these malefactors won't get by you.

If some new OS came out this year and it exploded onto the scene with a few hundred million users it would become a target very quickly. Nothing is truly safe in the virtual realm, there will always be the next hack, exploit, bug, or whatever.

The best defense against this is not what OS you use it's through educating the users plain and simple. If everyone would take just five minuets a day to read up on online security it would be a lot harder for the makers of malicious software to dupe users.

...This is very very wrong. I do computer support for a living and deal with PCs and Macs, and customers who are considering transitions between the platforms, and almost 100% of the time when someone wants to switch from PC to Mac, it is because they think Macs don't get viruses and don't crash, and don't have problems ever. This is the perception Apple has given via its advertising and marketting. It is a good perception to give, but when reality doesn't match up, you have problems, which is the case right now. The other thing they do when trying to decide between PC and Mac is they look at a PC Laptop that costs 500 bucks, and then look at a mac book pro, which is like 3x as much, for just the base 13" model. Then they make a statement on how much faster the mac feels. I constantly have to tell people to compare things in the same price range, and to do that you have to start at ultrabooks on the PC side of things.

Apple's Mac market has always consisted primarily of those who don't know any better... If not for these people, who we will affectionately call "n00bs," the OS X Mac would have little business at all. Jobs (RIP) always targeted n00bs with his propaganda because that group is by far the easiest to fool with anti-Windows ranting (It used to be anti-Intel ranting, too, before Jobs (RIP) decided he'd been dead wrong about Intel for all of those years.)

Little has changed in that regard. Longtime Mac owners are content to allow Apple to make all of their configuration decisions; longtime Windows users make their own configuration decisions and prefer to keep it that way. Today, I cannot imagine the limitations inherent in OEM system builds applying to me! Horrors, to be stuck with what's convenient for an OEM to sell me, Dell or Apple, makes no difference. People sticking with Apple computer hardware for years and even decades (in some rare cases) remind me of would-be bicyclists who never move beyond the training-wheels state and are content. Their appreciation for computing is as superficial as the "knowledge base" they work out of.

Enlightening them as to the errors of their percipience is as exhausting as it is frustrating, and these days I just smile and nod and move on when OS X users inform me that all I have to do is to power up my Windows box and connect to the Internet and I will automatically be festooned with viruses and Trojans. They mean well, I suppose, and believe it themselves. If people don't learn through experience then they never will.

Have you begun noticing unexpected ads appearing on unlikely websites while browsing on your Mac? If so....

Yep, more and more ads keep popping up on ARS all the time. Really love the one where I accidentally rollover it and it expands out to take up the content area of the page where I'm trying to read the article I came for in the first place.

Quote:

Here's how Trojan.Yontoo.1 works. An installer is presented to users as a browser plugin—usually on specially crafted webpages claiming to show movie trailers—but may also present itself as a media player, download accelerator, or "a video quality enhancement program." The installer asks the user if he or she wants to install an app called Free Twit Tube; at that point, the installer downloads the trojan from the Internet, which installs a plugin for all available browsers, including Safari, Firefox, and Chrome.

...This is very very wrong. I do computer support for a living and deal with PCs and Macs, and customers who are considering transitions between the platforms, and almost 100% of the time when someone wants to switch from PC to Mac, it is because they think Macs don't get viruses and don't crash, and don't have problems ever. This is the perception Apple has given via its advertising and marketting. It is a good perception to give, but when reality doesn't match up, you have problems, which is the case right now.

Apple's Mac market has always consisted primarily of those who don't know any better... If not for these people, who we will affectionately call "n00bs," the OS X Mac would have little business at all. Jobs (RIP) always targeted n00bs with his propaganda because that group is by far the easiest to fool with anti-Windows ranting (It used to be anti-Intel ranting, too, before Jobs (RIP) decided he'd been dead wrong about Intel for all of those years.)

Little has changed in that regard. Longtime Mac owners are content to allow Apple to make all of their configuration decisions; longtime Windows users make their own configuration decisions and prefer to keep it that way. Today, I cannot imagine the limitations inherent in OEM system builds applying to me! Horrors, to be stuck with what's convenient for an OEM to sell me, Dell or Apple, makes no difference. People sticking with Apple computer hardware for years and even decades (in some rare cases) remind me of would-be bicyclists who never move beyond the training-wheels state and are content. Their appreciation for computing is as superficial as the "knowledge base" they work out of.

Enlightening them as to the errors of their percipience is as exhausting as it is frustrating, and these days I just smile and nod and move on when OS X users inform me that all I have to do is to power up my Windows box and connect to the Internet and I will automatically be festooned with viruses and Trojans. They mean well, I suppose, and believe it themselves. If people don't learn through experience then they never will.

kleinma are you referring to the "I'm a Mac, I'm a PC" ads from 5 years ago? Apple hasn't run ads like that since MacDefender happened. Things have changed a lot since then.

WaltC I think your CONFUSING MacOS with iOS. I can only assume your experience is based in things you've read on the internet and not through first hand interaction. But just to clear things up. Jobs didn't choose PPC, Sculley did. (Are you CONFUSING Intel with IBM???) And Dell and Apple couldn't have more opposing philosophies, what a strange comparison.